Dave Stork's IMHOhttps://dirteam.com/dave
A blog mostly about Exchange related stuff.Mon, 19 Feb 2018 11:43:20 +0000en-UShourly1Free community event in Maarssen (NL) this Thursday eveninghttps://dirteam.com/dave/2018/02/19/free-community-event/
https://dirteam.com/dave/2018/02/19/free-community-event/#commentsMon, 19 Feb 2018 11:43:20 +0000https://dirteam.com/dave/?p=1040What? A free community event in a first collaboration between Dutch and Belgian Exchange, Skype and Office 365 experts. There will be two sessions, but before and after sessions you are free to talk with any of them about Exchange, Skype for Business/Teams and Office 365. When? This Thursday evening starting at 18:00. Where? Maarssen (near Utrecht) at the Fujitsu office. Who? MVPs like Jaap Wesselius, Dave Stork, Michel de Rooij, Steven Van Houttum and Michael Van Horenbeeck along with

]]>What? A free community event in a first collaboration between Dutch and Belgian Exchange, Skype and Office 365 experts. There will be two sessions, but before and after sessions you are free to talk with any of them about Exchange, Skype for Business/Teams and Office 365.

When? This Thursday evening starting at 18:00.

Where? Maarssen (near Utrecht) at the Fujitsu office.

Who? MVPs like Jaap Wesselius, Dave Stork, Michel de Rooij, Steven Van Houttum and Michael Van Horenbeeck along with well-respected experts such as Thomas Verwer, Kay Sellenrode will be there.

]]>https://dirteam.com/dave/2018/02/19/free-community-event/feed/2Office 365 will allow TLS 1.2 only starting October 31st 2018https://dirteam.com/dave/2018/01/10/office-365-only-allows-tls-1-2/
https://dirteam.com/dave/2018/01/10/office-365-only-allows-tls-1-2/#respondWed, 10 Jan 2018 21:51:03 +0000https://dirteam.com/dave/?p=1003*Update 10 February 2018* So, Microsoft announced a new date for this change and updated their support article regarding TLS support. It’s now October 31st 2018, instead of March 1st 2018. This gives organizations a lot more time to prepare for this change. IMHO the previous date was maybe a little too ambitious and it seems that Microsoft got enough feedback to push back the date. Even earlier the Exchange Product Team posted an article in a series of three,

*Update 10 February 2018*So, Microsoft announced a new date for this change and updated their support article regarding TLS support. It’s now October 31st 2018, instead of March 1st 2018. This gives organizations a lot more time to prepare for this change. IMHO the previous date was maybe a little too ambitious and it seems that Microsoft got enough feedback to push back the date.

Unfortunately I don’t have anything to share yet regarding SMTP, but we’ve gotten a few more months. I still suggest you go ahead and check your environment whether the relevant parts have the capability to use TLS1.2.

Microsoft announced an upcoming change for secure connections in a support article last updated 19th December 2017. Office 365 will only initiate and accept connections secured by TLS 1.2 (Transport Layer Security) only as of March 1st 2018. There will be no support for older TLS versions 1.0 and 1.1. This is a pro-active measure before any possible downgrade attacks that might will pop-up in the future.

Microsoft warns that client-server and browser server combinations must use at least TLS1.2. Most connections to Office 365 already use TLS1.2 according to Microsoft. The change also impacts any on-premises architecture such as Active Directory Federation Services (ADFS) and Exchange Hybrid. These would require inbound and outbound TLS1.2 connections. You do not have to disable TLS1.0/1.1 on your on-premises environment. When you disable TLS 1.0 or 1.1 you might result into issues. Being up-to-date with software that is still in support is important. Check if TLS1.2 is actually enabled after updates.

In another article Microsoft explains a little bit what the impact might be regarding different Windows OSes. The article does not explicitly mention non-Microsoft solutions that connect with Office 365. I fear some of those solution will not be checked. The longer I thought about those scenarios, I got a little bit worried that some organizations might run into issues when this change comes into effect. The support article does not specify any particular protocol. Therefore I assume that every protocol is affected. I can think of HTTPS, POP/IMAP and SMTP when regarding Exchange Online. I will only focus on these protocol, but that doesn’t mean other protocols or services might have some impact specifically for that service (Skype for Business Online for instance).

HTTPS

Most solutions (like applications, devices, SaaS) use the HTTPS protocol to connect with Office 365, such as Exchange Web Services (EWS) or Microsoft Graph. I know of some Java or other platform based applications. It is feasible that they run on older versions that do not support TLS1.2 or need to actively enable it. Check every of those applications whether are already compliant. You might have to update the platform first, which could in turn break stuff and require some updates. I suggest you check your business critical applications as soon as possible. Doing so might give you enough time to prepare and hopefully prevent downtime. Also check any application or appliance that connects to Office 365, things like a room manager display for instance (my employer uses them for every bookable room). You might have to update the firmware.

If for whatever reason you are stuck with solutions that will not support the new security requirements, consider workarounds. This could be something like a caching proxy that is able to create HTTPS TLS1.2 connections for the internal solutions that can’t. This is something that probably require some configuration and testing in your environment.

POP/IMAP

I know there are applications or appliances that still use this in order to extract data from mailboxes. As these are old protocols, some applications might not even support any form of secure POP/IMAP, let alone TLS1.2. Check those applications and check whether they (after updating) perhaps support more modern solutions based on HTTPS like EWS. A more modern protocol might also mean a more modern approach towards encryption such as supporting TLS1.2.

SMTP

I found SMTP especially an interesting protocol within the security change context. You have to check several uses:

Incoming and outgoing mail from and to unknown organizations: Opportunistic TLS SMTP.

Mail relaying

Check your applications/appliances that use SMTP to connect to Office 365, because they might require firmware or software updates to support TLS1.2. If the supplier has failed to support it at this time, you might have to contact them or use an relaying SMTP that does the direct connection to Office 365. You might have to plan, design and implement some necessary infrastructural changes that also might add costs.

Partner connections

If you have connections set up with partner organizations to ensure that SMTP transport is encrypted, your mail flow to that partner might fail. You have to contact your partner organization and warn them of the impending change so they can check and prepare. They might have to consider alternatives that do work within the new security reality.

Are they using Office 365 or even just Exchange Online Protection (EOP) the change obviously won’t be a problem. But if your partner organization uses another cloud solutions for the SMTP partner connection, let them check whether they support TLS1.2. If not, they have to contact their provider in time or switch.

To be clear, we are talking about the first connection point from your Office 365 environment to their organization. This is sometimes different from their MX configuration.

Opportunistic TLS SMTP

The change could impact all incoming or outgoing mail. Opportunistic TLS is the principle that for the incoming or outgoing SMTP connection is attempted first with an encrypted connection. Mail servers use non encrypted connections when no encryption is possible.

The need to fallback to older or no layer security is quite common with SMTP connections, due to lazy admins, misconfigurations, “it’s always done this way and we rather have mail at all than have it transported securely”. Preferably every SMTP connection uses some form of encryption, but this is just the way it is and we have to accept it.

Create a partner connection (but remember the caveats from the previous paragraph) if you really require a guaranteed secure mail flow with some of your partners.

I have asked Microsoft some clarification regarding SMTP as there are very valid reasons to still allow TLS1.0/1.1 for SMTP connections. When I get a reaction I will update this post. It is technically possible that SMTP is the exception to this new support statement. But I will not assume this.

How to check?

How do you if there are any issues? It highly depends on your infrastructure. You need access to OSI model Layer 7 in order to inspect the TLS version. Check connection logging available. Use OpenSSL tools to check whether TLS1.2 is available. Use Fiddler to monitor whether TLS1.2 connections are actually used. I’ve written a blog post two years ago on how to check your connections.

When you know which connections still aren’t able to leverage TLS1.2, you know you have some work to do.

]]>https://dirteam.com/dave/2018/01/10/office-365-only-allows-tls-1-2/feed/0I’ll be speaking at E-Communications & Collaboration Day 2017 (BE-COM.eu) on May 3rd 2017https://dirteam.com/dave/2017/04/20/ill-be-speaking-at-e-communications-collaboration-day-2017-be-com-eu-on-may-3rd-2017/
https://dirteam.com/dave/2017/04/20/ill-be-speaking-at-e-communications-collaboration-day-2017-be-com-eu-on-may-3rd-2017/#respondThu, 20 Apr 2017 15:39:06 +0000https://dirteam.com/dave/?p=981In a few weeks, I’ll be travelling to Novotel Leuven in my neighboring country Belgium for the E-Communications & Collaboration Day 2017, a full-day (May 3rd 2017) of expert presentations and content about Office 365, Exchange, Skype for Business and related technologies. During this day, I will be presenting “Securing Exchange Online”: In this session, Dave Stork will go through the capabilities of Exchange Online (Office 365) to further secure your email data and mail flow. Questions like: • How

]]>In a few weeks, I’ll be travelling to Novotel Leuven in my neighboring country Belgium for the E-Communications & Collaboration Day 2017, a full-day (May 3rd 2017) of expert presentations and content about Office 365, Exchange, Skype for Business and related technologies. During this day, I will be presenting “Securing Exchange Online”:

In this session, Dave Stork will go through the capabilities of Exchange Online (Office 365) to further secure your email data and mail flow. Questions like:
• How can I ensure mails are not intercepted by third parties?
• Which tools are available to limit (inadvertent) data leaks?
• How can I mitigate mail spoofing and malicious emails?
• How to ensure end-point security on clients?
During the sessions techniques like Exchange Online Protection (EOP) and Advanced Threat Protection (ATP), SPF, DKIM, DMARC, TLS, RMS (Rights Management Services), DLP (Data Loss Prevention) are discussed and how an admin can use them to further secure their organizations mail platform. The focus will be Exchange Online, but other services from Office 365 and Azure AD will make an appearance. Also, some techniques are also valid for On-premises Exchange environments.

If that doesn’t interest you, there are obviously other sessions within two tracks covering Office 365 & Exchange and Skype for Business, presented by an impressive list of Microsoft MVPs and other experts.

There is an entrance fee (€49) which also covers for drinks & catering during the day. Be sure to check out the conference page and register!

]]>https://dirteam.com/dave/2017/04/20/ill-be-speaking-at-e-communications-collaboration-day-2017-be-com-eu-on-may-3rd-2017/feed/0Creating an Activity alert in Office 365https://dirteam.com/dave/2017/04/10/creating-an-activity-alert-in-office-365/
https://dirteam.com/dave/2017/04/10/creating-an-activity-alert-in-office-365/#respondMon, 10 Apr 2017 13:56:18 +0000https://dirteam.com/dave/?p=964Within Office 365 you can use Audit Logging to monitor specific actions admins and users take. It’s comparable with Auditing within Exchange, but for most of all actions available in your Office 365 tenant. However, you need to do a search to find those actions perhaps long after the fact. That might be adequate for most organizations, but it would be nice to get an near immediate alert on the important stuff. Luckily, that is also possible! Consider the following

]]>Within Office 365 you can use Audit Logging to monitor specific actions admins and users take. It’s comparable with Auditing within Exchange, but for most of all actions available in your Office 365 tenant. However, you need to do a search to find those actions perhaps long after the fact. That might be adequate for most organizations, but it would be nice to get an near immediate alert on the important stuff. Luckily, that is also possible!

Consider the following scenario; you share a document via SharePoint via an Anonymous link, meaning that everyone that has the link can download the document you just shared it under. Downloads are logged, but you require an alert right after it happens.

When you got to Security & Compliance>Search & Investigation>Audit log search you will see a “New alert policy” button at the bottom of the page.

Click on that button and a new screen shows up (click on image for original size):

Give it a name and a clear description. Under “Alert Type” you can choose “Custom” or “Elevation of privilege”. Choose Custom. Under “Choose activities for alert” select “Downloaded file”

Under Users, keep the field empty in order to monitor Anonymous actions.

In the field “Send this alert to…” fill in the user ( s ) you want the alert sent to. Unfortunately it doesn’t seem to work with groups/contacts, but does work with Shared Mailboxes. Per default the address of the admin creating the alert is used.

After that the configured mailbox will get an alert mail when it’s triggered (click on image for original size).

If you no longer require the alert or need to adjust it, you can do that under Security & Compliance>Alerts>Manage Alerts (click on image for original size).

Unfortunately the alerts are less granular as the search it includes a field to further specify a file, folder or site, which is not available for alerts.

Even so, it’s a great addition for those organization that require a more pro-active monitoring of certain actions in your Office 365 tenant. There are a lot of actions from different services (SharePoint, Exchange, User provisioning, Teams etc.) that can be monitored, so check it out!

As the alert mails have a consistent format, you could create further actions based on the mail. For instance with Microsoft Flow.

]]>https://dirteam.com/dave/2017/04/10/creating-an-activity-alert-in-office-365/feed/0Can I place my Exchange hybrid management server in Azure and use Azure Domain Services?https://dirteam.com/dave/2017/03/31/can-i-place-my-exchange-hybrid-management-server-in-azure-and-use-azure-domain-services/
https://dirteam.com/dave/2017/03/31/can-i-place-my-exchange-hybrid-management-server-in-azure-and-use-azure-domain-services/#commentsFri, 31 Mar 2017 13:18:10 +0000https://dirteam.com/dave/?p=942As some might know (although I and others have to repeat this regularly…), if you enable directory synchronization from your on-premises Active Directory (AD) and you migrate all you Exchange mailboxes to Exchange Online you still require an Exchange server to manage mail(box) objects. It is the only supported solution, even though some use third party tooling or ADSIedit. Luckily this managing Exchange server doesn’t require the same amount of resources compared to Exchange serves hosting actual production mailboxes. In

]]>As some might know (although I and others have to repeat this regularly…), if you enable directory synchronization from your on-premises Active Directory (AD) and you migrate all you Exchange mailboxes to Exchange Online you still require an Exchange server to manage mail(box) objects. It is the only supported solution, even though some use third party tooling or ADSIedit. Luckily this managing Exchange server doesn’t require the same amount of resources compared to Exchange serves hosting actual production mailboxes. In certain cases you can get a free “hybrid” license limiting costs. But still, it’s still a bit of operational overhead that a lot of organization want to minimize. While Microsoft has indicated that it is actively working on removing this requirement (see PowerPoint slide 36), it will probably take a long time before we can enjoy that new reality.

What to do in the mean time? In some cases organization are looking at Microsoft Azure to host that specific Exchange management server. That has the benefit of not requiring resources in the organizations (n-premises) datacenters. So, is that a viable solution?

P.S. The Exchange Hybrid server doesn’t exist as a separate role, it’s still a full featured Exchange server. But in this scenario it’s only used to maintain a Hybrid Exchange environment and used for management. Hence my use of the term Hybrid management server. I know some readers who have a pet peeve regarding the use of “Exchange Hybrid Server”. You know who you are

]]>https://dirteam.com/dave/2017/03/31/can-i-place-my-exchange-hybrid-management-server-in-azure-and-use-azure-domain-services/feed/4Practical PowerShell Exchange Server 2016 aka Writing a bookhttps://dirteam.com/dave/2017/03/29/practical-powershell-exchange-server-2016-aka-writing-a-book/
https://dirteam.com/dave/2017/03/29/practical-powershell-exchange-server-2016-aka-writing-a-book/#respondWed, 29 Mar 2017 07:03:20 +0000https://dirteam.com/dave/?p=929Some of you may have wondered why I was somewhat quiet. The reason was that during the last year (and a half?) I was writing a book with MVP Damian Scoles. That book is now available as an PDF and Apple iBook! The physical paperback is now also available in our shop and includes a PDF and ePub version. Other eBook formats (Amazon, Kobo, Nook etc.) will follow soon as well. Damian and I decided to keep the whole process

]]>Some of you may have wondered why I was somewhat quiet. The reason was that during the last year (and a half?) I was writing a book with MVP Damian Scoles. That book is now available as an PDF and Apple iBook! The physical paperback is now also available in our shop and includes a PDF and ePub version. Other eBook formats (Amazon, Kobo, Nook etc.) will follow soon as well.

Damian and I decided to keep the whole process of writing the book in our own control. Which meant a lot more than just writing content, but also formatting, book things like copyright and ISBN numbering, securing technical reviewers, marketing and advertising, setting up a web shop etc. etc..

This was an extra challenge for the both of us. Although I had some experience being a Technical Reviewer, I hadn’t been an author let alone a publisher/marketer etc. at the same time. Things you don’t have to bother with when using a publisher. However, doing every bit ourselves keeps us in control and keeps us economically independent (i.e. we decide whether we update the book and not the publisher based on sales and revenue).

When it finally was published (starting 1st March 2017 with the PDF) it was very gratifying to see the results of all that hard work (most of which Damian has done; if you need an InDesign and ePub expert ) and all the feedback. I certainly didn’t do it to add income, although it would be nice to get at least our investments back. I did it for the experience and that was very educational. Not only on how to write a book etc., but also gained some personal insights. Hard to put a pricetag on that.

The focus at the moment will be getting the book available in physical form (currently already available!) and on several other ebook platforms. After that we will probably take a little break to re-energize us so we can fix errors and potentially add content for an updated version. We do not have any further details to share about that at this time, but be sure to sign up for the newsletter at our Practical PowerShell site!

]]>https://dirteam.com/dave/2017/03/29/practical-powershell-exchange-server-2016-aka-writing-a-book/feed/0Exchange Server 2007 (almost) EOL!https://dirteam.com/dave/2017/03/20/exchange-2007-almost-eol/
Mon, 20 Mar 2017 11:19:35 +0000https://dirteam.com/dave/?p=926Just a quick reminder that Exchange Server 2007 will have no support after April 11th 2017. Although every install will continue without any issue after this date, it is a risk continuing the use of this product. Security fixes won’t come available, but also little things like timezone/daylight savings changes aren’t updated which could have a high impact in your organisation. You can transition to Exchange Server 2010 but preferably Exchange Server 2013. However, I would suggest migrating to Exchange

]]>Just a quick reminder that Exchange Server 2007 will have no support after April 11th 2017. Although every install will continue without any issue after this date, it is a risk continuing the use of this product. Security fixes won’t come available, but also little things like timezone/daylight savings changes aren’t updated which could have a high impact in your organisation.

You can transition to Exchange Server 2010 but preferably Exchange Server 2013. However, I would suggest migrating to Exchange Server 2016 but as there is no coexistence you would have to do a double migration (via Exchange Server 2013) or migrate towards Office 365/Exchange Online. MVP Steve Goodman has written a nice blog post with all your options in more detail.

]]>The end is nigh for Exchange 2007: support nearing end and some other reasons to upgradehttps://dirteam.com/dave/2016/04/11/the-end-is-nigh-for-exchange-2007/
https://dirteam.com/dave/2016/04/11/the-end-is-nigh-for-exchange-2007/#respondMon, 11 Apr 2016 16:20:13 +0000https://dirteam.com/dave/?p=918The Exchange Team blog reminded us today that in about a year the extended support for Exchange Server 2007 will end. This means no more updates of any kind, not even security updates. Feature updates already stopped 4 years earlier when Mainstream support ended. The product will continue to run, but how longer it’s being kept in production that will add some risk to your environment due to security issues not being fixed. You can find lifecycles of other Microsoft

]]>The Exchange Team blog reminded us today that in about a year the extended support for Exchange Server 2007 will end. This means no more updates of any kind, not even security updates. Feature updates already stopped 4 years earlier when Mainstream support ended. The product will continue to run, but how longer it’s being kept in production that will add some risk to your environment due to security issues not being fixed. You can find lifecycles of other Microsoft products here.

Another risk is that newer products won’t work (as intended) with Exchange 2007 anymore. For instance, Outlook 2016 won’t connect to Exchange 2007. Furthermore, features such as the Database Availability Groups far outperform (IMHO) any clustering solution available in 2007. There wasn’t any multi-browser support for OWA. And the list goes on. It’s really, really time to upgrade. Do note that you can migrate to Exchange 2013, but not to Exchange 2016 (without phasing out your last 2007 server).

Another potentially important tidbit is that Exchange 2007 SMTP, IMAP and POP3 do not support TLS1.1 and TLS1.2, it does however support TLS1.0. HTTPS is not affected by this. This (for some potentially unexpected fact) has been fixed in Exchange 2010 SP3 RU9 and 2013 CU8 just recently, but due to the support nature of Exchange 2007 it is reasonable to assume that it will not be addressed. For those who require TLS1.1/1.2 for SMTP, they will either implement another SMTP solution in front of Exchange or upgrade. For IMAP/POP3 a reverse proxy or similar solution could provide the required level of encryption.

To be clear: HTTPS services on Exchange 2007 do support TLS1.1 and TLS1.2 (when enabled). Just SMTP, IMAP and POP3 do not.

Do you want to check whether your servers supports which encryption protocol and ciphers, check my previous blog: Checking security protocols and ciphers on your Exchange servers. If you want to check supported protocols of your SMTP solution (which wasn’t added in my original post), use OpenSSL for Win32 (sslscan isn’t being maintained and has some downsides). The syntax would like this:

openssl s_client -connect <fqdn>:25 -starttls smtp

Add -ssl3, -tls1, -tls1_1, -tls1_2 to test specific protocols. If you don’t get a Server Certificate, the protocol is probably not supported.

Install OS can be Windows Server 2012 or 2012 R2 Standard or Datacenter

Windows Server 2016 support may require a Cumulative Update

Windows Server 2008 Forest/Domain Functional level

Previously a Functional level of 2008 R2 was announced

Outlook 2010, 2013 and 2016 and Outlook for Mac 2011/for Office 365

Some updates are required

Outlook 2007 is not supported

If your environment doesn’t support these requirements, you have some work to do. Regarding any coexistence issues, work you way to Exchange 2013 then to 2016. The migration from 2013 to 2016 is the easiest and risk free transition to date. Some information can be found in the Ignite session “Deploying Exchange Server 2016” by Brian Day. Remember, once you’ve updated your AD Schema you will not be able to add new legacy Exchange version servers other than 2016.

Do note that some requirements might have changed after those sessions (which they themselves warn for).

Please note that some functionality isn’t available yet, for instance SharePoint 2016 is currently only in preview and it’s not recommended to install that in your production environment. For viewing/editing Office documents in Outlook on the web (Ootw, the re-branded Outlook Web App or OWA), you will require the Office Online Server which is currently also in preview and not supported in production environments. Until it’s general available Ootw users will have to download Office documents and view them locally.

Other functionality that had been announced and aren’t available in this build will be become available in upcoming Cumulative Updates, the first one in early 2016. Most notable now missing but upcoming features IMHO are Search Index from Passive DB, REST API’s, Auto-Expanding archives and Inline image controls for Outlook on the web.

Currently no sizing information has been released, such as an Exchange Server Role Requirements Calculator specifically for Exchange 2016. Although Exchange 2016 might feel more like Exchange 2013 Service Pack 2, I wouldn’t blindly use the Exchange 2013 calculators for 2016. For instance: the required IOPS per mailbox has decreased again. That probably has some trade off in memory as it had in Exchange 2013. Also, the Search Index from Passive DB will have an important impact on the WAN requirements if you plan to have a stretched DAG (over two physical sites), but is currently not in the RTM build. However, it’s something an upcoming calculator will most likely incorporate in order to present you correct WAN usage with this feature (and thus might save you money by preventing extra investments in WAN bandwidth).

So, if your environment has all the necessary requirements ticked off, should you transition immediately? Although my experience with earlier build has been okay (already better than Exchange 2013 RTM was, but the current 2016 experience is from working in a lab environment, mind you), it’s probably best to wait until some of the sizing tools become available or your specific UM Language files, if required. You can get a lot of issues when the servers aren’t sized properly, best to have some patience and get it right.

However, there is no reason to prepare yourself if you want to prepare for an eventual migration. You can test this build out including the SharePoint and Office Online Server preview in an isolated lab environment and get a feel how it works and test you dependencies with other products (like back-up, anti-virus etc.).

If you really can’t wait for some of the nifty new features in Exchange 2016, maybe you should consider Office 365 as some of them are already implemented. But what’s the fun in that

Note: At this time you can mix 2013 and 2016 servers in a single DAG. THIS IS NOT SUPPORTED AND SHOULD NOT BE PERFORMED. It will be blocked in an upcoming update. This is stated in the release notes and Michel de Rooij and Paul Cunningham have blogged about this as well.

]]>https://dirteam.com/dave/2015/10/01/exchange-server-2016-is-available-now-what/feed/6In light of Windows 10: Comparing Service and Privacy agreementshttps://dirteam.com/dave/2015/09/14/in-light-of-windows-10-comparing-service-and-privacy-agreements/
https://dirteam.com/dave/2015/09/14/in-light-of-windows-10-comparing-service-and-privacy-agreements/#respondMon, 14 Sep 2015 19:00:51 +0000http://dirteam.com/dave/?p=837There’s been a lot of media attention regarding Windows 10 and privacy concerns. Unfortunately not all reports contain correct facts while others suggest some of the implemented technology is unique for Windows 10. There’s a lot of bad reporting (do some of them even fact check?) or even malicious FUD (Fear, Uncertainty and Doubt) out there. Now, don’t get me wrong, knowing how the products you use handle your (meta)data and privacy is IMHO very important and should receive all

]]>There’s been a lot of media attention regarding Windows 10 and privacy concerns. Unfortunately not all reports contain correct facts while others suggest some of the implemented technology is unique for Windows 10. There’s a lot of bad reporting (do some of them even fact check?) or even malicious FUD (Fear, Uncertainty and Doubt) out there.

Now, don’t get me wrong, knowing how the products you use handle your (meta)data and privacy is IMHO very important and should receive all the scrutiny. But it is equally important to get it right.

Being annoyed by all the FUD, inspired by Ed Bott’s article No, Microsoft is not spying on you with Windows 10 I’ve decided to check other Service and Privacy agreements of other operating systems and equivalent cloud services and compare them as fair as possible. As Windows 10 is basically a multi form factor OS, I wanted to compare it with Apple’s Mac OS and iOS and Google’s Chrome OS (basically Chrome) as they are the big three OS and devices companies.

Android is a bit of a weird OS as the responsibility lies with the manufacturers of the device in question and not specifically with Google, unlike Windows and MacOS/iOS. Searching for agreements specifically to Android point towards Google’s Service agreement (because of the Google Play store, which could be regarded as a service). For this post this shouldn’t be a problem as the privacy concerns are when any data leaves you device, which means that you (consciously or unconsciously) use services.

When relevant, some of the comparable supporting cloud services are included. Please note that I’m no legal expert, but I do think I’m able to determine whether Windows 10 or rather what is stated in the agreements is unique in data gathering and should receive more scrutiny regarding privacy.

Now, my focus are the agreements in which Microsoft, Apple and Google tell you what to expect when using their products. Here and there I’ve added some context by adding some technical info on how it works within the products, but that is subject to change and I might have overlooked some aspects.

Sources

If there is a selection to be made regarding region or country, I’ve standardized to all excerpts from USA sources. So, depending on the region the texts may vary. Starting points of the sources I’ve used (although I’ve not used them all) are the following:

There are certainly more subjects that can be investigated, but these four should provide a good impression on how the three companies work. Of these features it’s not always clear how it works or what they use at first sight, most services that use your personal data are often a conscious choice. These investigated areas are less conscious IMHO. I urge you to check these statements and investigate other topics yourselves.

I’ve also written about how easy/hard it is to find this information, the quality of the information provided and default settings.

I’ll try and find the relevant passages, quote passages and compare equivalents of the aforementioned big three. To keep this post a bit more readable, the quoted passages are posted at the end of this post beyond the conclusion under the header Excerpts.

My Findings

Discoverability

Searching for those pages wasn’t that hard, although with Apple you have to select the specific service and then your country. There are separate documents if you look at the software license agreements. Some are PDF’s and some are web based. Google’s pages are also somewhat scattered but I found the info I was looking for more easily, although I couldn’t find everything I needed (Google Now for instance). The Microsoft pages at least consolidated, with a Frequently asked Question page specifically for Windows 10. Which IMHO more user friendly compared to the other two. One downside is that it can be confusing for which form factor it is meant, main example is the possible removal of illegal software which is meant for Xbox One which will be running Windows 10.

In all cases the privacy and Service agreements can be found during install/first startup (Microsoft/Apple) or by looking in settings (Google, devices might differ). In my opinion Microsoft and Apple do it better than Google, when you start using their devices/OS.

Information provided

In my opinion all of them only give general but enough information about what kind of diagnostic data is collected. What is actually is sent is not visible for users. I’m okay with that, it’s probably not that useful for non experts, but it proves at least some willingness to more transparency (not saying that not doing this is being malevolent secretive, mind you. I see it as an extra service).

In practically all cases a method of adjusting a (privacy related) setting is explained in the documents mentioned (very specific or somewhat more general).

If I could find anything explicitly mentioned that something is done, I assume it is not done. For instance, I couldn’t find any information whether Apple enables you to delete location history (if it is saved by them). In that case, I assume they don’t provide you with that option.

Default setting

One of the concerns is that some settings related to privacy are enable per by default in Windows 10. While I understand this criticism it is actually not completely true. While installing Windows 10 (either clean or via in-place upgrade), users have the option to use Express Settings which enables most features while the Custom Setting allows to change those settings before they are active (with one notable exception).

I do concede that the Custom Settings option should be more prominent or those questions should be asked always (reversing as it is now), but it’s still a choice and thus calling those settings default enabled is not entirely correct IMHO. Apple and Google do ask very explicit (with their out-of-the-box experience) some features discussed, although I didn’t check this thoroughly.

This aspect wasn’t the focus of my research, but still relevant enough to not leave unmentioned. I have checked some settings on my Apple iPad 2 and my Yarvik Noble 7c (Android 4.1.1., default vendor settings, not rooted).

Diagnostics & Telemetry

I’ve provided a table to easily compare between the three companies. To see which sources I’ve used, scroll down to the Excerpts section at the end of this post.

Diagnostics & Telemetry

Microsoft

Apple

Google

Opt-in

No (1)

Yes

Yes (2)

Can be disabled

No (1)

Yes (3)

Yes

Used for improvement (new features)

Yes

Yes

Yes

Used for diagnosis or errors

Yes

Yes

Yes

Uses Personal Data

No (4)

No (4)

No (4)

With Custom Settings at first start you can set the amount of telemetry gathered and sent to Microsoft (On means Full, off means Enhanced. Unfortunately not Basic). It cannot be turned of completely. The Express setting does state the default and recommended settings can send data to Microsoft.

This was derived from agreements specifically for Chrome OS, on my Android device I didn’t have the option to toggle Usage & Diagnostics. I’m not sure if anything is sent with this device.

Apple also offers the option to prevent sending diagnostic and usage info to app developers.

Only by accident due to memory captures. With Microsoft this would only happen with the Full setting and not with Basic and Enhanced. An option Apple and Google don’t provide it seems.

Basically they all do practically the same, although Google and Apple seem to choose for an Opt-in (however, I do not know when they present you this selection, I think as part of an out-of-the-box experience), as with the default (Express Settings) Microsoft turns it on at the highest setting, using the Custom Settings and turning the feature of will enable it at the Enhanced setting (and not the lowest Basic setting). Telemetry in Windows 10 Home and Pro cannot be turned off completely without third party tools or Microsoft tools. However, in all cases no personal data is sent back home intentionally. Admins can turns this off completely with a GPO (Group Policy Object).

All of them state that the data collected or analysis of the data can be shared with third parties, although it is always striped for identifiable data and only used for improvement purposes. Apple provides an option to prevent sending this information to App developers.

Location

I’ve provided a table to easily compare between the three companies. To see which sources I’ve used, scroll down to the Excerpts section at the end of this post.

Location

Microsoft

Apple

Google

Opt-in

Yes (1)

Yes

Yes

Per app setting

Yes

Yes

No (2)

Sent to cloud

No (3)

Yes

Yes

Location History?

Yes (4)

No

Yes (5)

Anonymous

Yes

Optional

Yes

Can be disabled

Yes (6)

Yes (6)

Yes (6)

With Express Settings.

Not on Android 4.1.1, later versions may have (hidden) features. Even without rooting.

All of them warn that turning off GPS is not enough, other sources can be used like mobile connections, WiFi locations, IP addresses etc.. Sometimes the Find My Device or built-in anti-theft features have to disabled seperately.

Microsoft shows only info about device location history (stored locally), nothing about data sent to Microsoft in the agreements. Although it’s unclear what Microsoft means with the part “all location lookup for apps and services“, my emphasis on services which suggest cloud services. It’s possible they mean the Find My Device feature in Windows Phone/10 Mobile, but that is also true for equivalent features in Apple and Google devices. In any case, the location history is only kept for a maximum of 24 hours or a reboot.

I know that Google stores the location history with your Google account, which can be disabled. I couldn’t find that info in the Terms of Service or Privacy Policy, but I did find this in the Technologies and Principles section. On my Android tablet (Yarvik Noble, with Android 4.1.1) those features where disable per default (there was no configure screen at first start-up).

In any case it is possible that apps, when allowed access send location data to third parties. Which is true for all devices and can be different per app, in which case you should read the Privacy and Service Agreements of those specific (third-party) apps and services.

Typed/inking/speech data

I’ve provided a table to easily compare between the three companies. To see which sources I’ve used, scroll down to the Excerpts section at the end of this post.

Typed/inking/speech data

Microsoft

Apple

Google

Opt-in

Yes (1)

Yes

No info

Can be wiped

Yes

No

No info

Sent to cloud

Yes

Yes (2)

No info

Can be disabled

Yes

No (2)

No info

When you choose Custom settings at first start up.

There is an option to use non-Enhanced dictation which will not send speech data to Apple. I’ve interpreted this as the option to disable this.

Note that Apple and Microsoft also send Calendar and People information stored on your device in order to improve the specific features that use (mostly) speech. Probably for personal assistant (Siri, Cortana) features like “Call John Doe”.

Another interesting bit is that Apple specifically states that with the use of Enhanced Dictation, you agree that the collected voice and user data can be sent to third parties in order to improve Apple products and services.

Microsoft doesn’t state anything about third parties, but it does state that some data is stored on the device or in the cloud and also to improve handwriting recognition, dictionary prediction etc.. This can be wiped though, an option Apple does not provide.

Interestingly enough I couldn’t find any information about this in the Google documents. I couldn’t find any specific information about inking, typing or speech in the Privacy or Service agreements. However a new Voice Typing feature from Google Apps does use cloud services. There are manuals on how to enable Google Now and voice activation, but nothing on how that exactly works and what (type, voice) data is sent to Google.

Advertising

I’ve provided a table to easily compare between the three companies. To see which sources I’ve used, scroll down to the Excerpts section at the end of this post.

With advertising I mean targeted advertisement.

Advertising

Microsoft

Apple

Google

Opt-in

Yes (1)

No

Yes (2)

Disable interest based?

Yes

Yes

Yes

Uses personal data

No

No

Yes

When you use Custom settings you can disable the interest based advertising in Windows 10 apps. However, for browsing it is only an Opt-Out.

No settings on device itself (on my Android device, it might on yours), dependent on Google account and local browser settings.

In all cases you cannot prevent that apps display adds, the only difference is that your behavior might be monitored in order to provide specific ads based on your interests. This is where the specific ad id, that all of them use, comes in to play. So, they target you on a separate ID, independent of your account ID or other personal identifiable information.

The biggest difference here is that Google is the only one that analyses your personal data content (i.e. GMail) in order to create personalized ads while Apple and Microsoft focus on anonymous behavior performed on the device. This was the focus of Microsoft’s infamous Scroogled campaign. Microsoft even explicitly states that they will not use your personal data (highlighted) to give you targeted ads (however they are allowed to use your content for promoting the service, but only if it’s already public.)

Apple and Microsoft due offer options to control targeted advertising on the device itself, something I couldn’t find on my Google device but could be on yours. In that case you probably have to adjust your Google account settings, similar to something Microsoft also offers. I’m not completely sure whether Apple’s Limit Ad Tracking is per default on or off, or whether it is asked during first start up.

Conclusion

Microsoft really wants your telemetry, as without some extra assistance you cannot turn it off completely, even the Custom settings will set it to Enhanced instead of the even lower setting of Basic. This is not the case with Apple and Google, although I could find any settings on my Android device. It might be version or vendor specific.

But is it a bad thing that Microsoft really wants you to send Telemetry data? Personally I don’t think so, as stated the minimal setting will not send any personal data to Microsoft. So, what’s the privacy concern anyway? It’s still data with which you cannot be identified (as long there is no accidental personal data sent with it). How harmful could that be if it where to leak outside these companies? That’s a question worth answering first, before freaking out.

The data will be used to improve the OS and considering that Windows runs on an almost infinite combination of hardware that data is probably crucial to Microsoft. This is less of an issue for Apple, as their hardware is manufactured by themselves and compared to PC’s have less variation. Google’s Chrome OS is open source and OEM can modify it to suit their needs. Although I don’t have any hands-on experience with the OS itself, I suspect the hardware configurations are more standardized than devices running Windows. That would mean that Apple and Google probably require less telemetry data in order to improve their OS.

Furthermore, Microsoft provides a granular approach with what is sent to Microsoft. Apple only provides an Setting option not to send diagnostics to app builders. Although there should be settings to toggle those settings, on my Google device it wasn’t available. So, should I assume it’s disabled?

Google seems more “aggressive” here in regards to locations than Microsoft and Apple, with storing your location history with your Google account. On my device it’s an opt-out, but that could be different per device. Also, my Android device cannot change the per app settings (which is a bigger issue with different Android versions, I think). Microsoft does that perhaps a little bit better by only providing a maximum of 24 hours of location history to apps, although they can store that information themselves independently of course.

To me it’s no surprise that Apple and Microsoft use cloud services to leverage required computing power in order to deliver or improve voice recognition services, this way the devices in your hand (or table) don’t have to be power horses. It would be impractical of even impossible to deliver those services. However Apple does offer an local option, with the warning the results are probably less satisfying than using the Enchanced cloud option.

But if your typing etc. is sent to the cloud, is in both cases (Apple and Microsoft) in order to improve handwriting and voice recognition, dictionary prediction etc.. A notable thing is when accepting Enhanced Voice recognition, Apple may send this information including user data (presumably Contacts, nicknames, Homekit devices etc.) also to Apple’s subsidiaries and agents. But that is something Microsoft also states for diagnostic and telemetry information. In both cases it’s anonymous. A welcome feature Microsoft offers is a wipe function for speech/typing/inking data stored on your device and in the cloud. I would welcome something similar from Apple.

Adds in apps are here to stay, not surprising. They all try to provide interest based advertising. They all won’t sell your direct information to third parties, but provide access to profiles. Which can be turned off in all cases, but will it not turn of adds completely. However the most “shocking” would be that Google is the only one that actually uses your personal data to target adds. Looking at the main revenue streams of these big three that shouldn’t come as a big surprise, in my humble opinion.

Overall, I think the differences are not that shocking. They use mostly similar techniques and similar language in their agreements. The information is readily available and referenced in the devices themselves, although IMHO Microsoft and Apple do a better job than Google. However, Google is not responsible for Android implementations, that’s the vendor’s job. Which is kinda tricky, you won’t get a standardized experience as you would with Apple and Microsoft. But all in all it’s probably the image a certain company has that is correlated with privacy concerns. Microsoft just got the short straw…

Sure, Microsoft could improve on their image by making the Windows 10 Custom setting experience default and Express less available. Also, when using the Custom Setting the Telemetry setting is set to Enhanced. That is weird IMHO, at least set it at the lowest level (Basic) as one would expect. Or give the option to fully disable it, if only as a PR effort.

Personally I don’t mind that these companies collect telemetry, dictation etc… They all use it to improve the OS, Apps or services which would probably look a lot different if they didn’t use that data. And it’s not new, but some sleeping dogs probably woke up with the big Windows 10 launch.

And think of this; what would they (Microsoft, Apple and Google) benefit from using your data in secret? It will eventually get out and then the damage will be greater than any benefit they would have, as my fellow MVP Joost van Schaik wrote in his blog.

What do you think (now)? Is Windows 10 a privacy nightmare? Or is this just the way we all work now, no matter what brand device or service you use? I think the latter.

A big thanks go out to my coworkers Maarten Odekerken for reviewing and Zarco Zwier for reviewing and making some very useful suggestions.

Disclaimer

I’ve done my best to provide objective information, but I’m not infallible and some aspects are a little bit subjective or leave room for interpretation (when is something opt-in or opt-out for instance). While I’ve taken my time reading, checking, comparing etc. I might have overlooked things, mixed them up or assumed something which is faulty. Check those agreements yourself if you have any doubts. Check your devices, make screenshots etc. etc.. I might be wrong, but prove me wrong.

Excerpts

Italic is used to indicate headers and such, corresponding with the formatting of the original form. Bold is my own emphasis and Bold+Italic is emphasis by the source themselves but which I found equally important. The source is provided at the top of the excerpt.

Diagnostics & Telemetry

Microsoft

Usage and connectivity data. Microsoft regularly collects basic information about your Windows device including usage data, app compatibility data, and network and connectivity information. This data is transmitted to Microsoft and stored with one or more unique identifiers that can help us recognize an individual user on an individual device and understand the device’s service issues and use patterns. The data we collect includes:

Configuration data, including the manufacturer of your device, model, number of processors, display size and resolution, date, region and language settings, and other data about the capabilities of the device.

The software (including drivers and firmware supplied by device manufacturers), installed on the device.

Performance and reliability data, such as how quickly programs respond to input, how many problems you experience with an app or device, or how quickly information is sent or received over a network connection.

App use data for apps that run on Windows (including Microsoft and third party apps), such as how frequently and for how long you use apps, which app features you use most often, how often you use Windows Help and Support, which services you use to sign into apps, and how many folders you typically create on your desktop.

Network and connection data, such as the device’s IP address, number of network connections in use, and data about the networks you connect to, such as mobile networks, Bluetooth, and identifiers (BSSID and SSID), connection requirements and speed of Wi-Fi networks you connect to.

Other hardware devices connected to the device.

Some diagnostic data is vital to the operation of Windows and cannot be turned off if you use Windows. Other data collection is optional, and you will be able to turn this data collection on or off in Settings.

Windows Error Reporting. Windows Error Reporting helps Microsoft and Microsoft partners diagnose problems in the software you use and provide solutions. Not all problems have solutions, but when solutions are available, they are offered as steps to solve a problem you’ve reported or as updates to install. To help prevent problems and make software more reliable, some solutions are also included in future releases of the software.

Windows Error Reporting collects information that is useful for diagnosing and solving a problem that has occurred, such as where the problem happened in the software or hardware, the type or severity of the problem, files that help describe the problem, basic software and hardware information, or possible software performance and compatibility problems. Windows Error Reporting also collects information about apps, drivers, and devices to help Microsoft understand and improve app and device compatibility.

If you choose to enable automatic reporting while setting up Windows, the reporting service will automatically send basic information about where problems occur. Some error reports might unintentionally contain personal information. For example, a report that contains a snapshot of PC memory might include your name, part of a document you were working on, or data that you recently submitted to a website. If an error report contains personal data, we won’t use that data to identify, contact, or target advertising to you. Reports including files and data might be stored on your PC until after they have been sent or deleted. You can turn off automatic error reporting at any time in Settings.

As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting.

Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all.

Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience.

Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting.

Apple

4. Consent to Use of Data.
A. Diagnostic and Usage Data. If you choose to allow diagnostic and usage collection, you agree that Apple and its subsidiaries and agents may collect, maintain, process and use diagnostic, technical, usage and related information, including but not limited to unique system or hardware identifiers, information about your computer, system and application software, and peripherals, that is gathered periodically to provide and improve Apple’s products and services, facilitate the provision of software updates, product support and other services to you (if any) related to the Apple Software, and to verify compliance with the terms of this License. You may change your preferences for Diagnostics & Usage collection at any time by going to the Diagnostics & Usage setting in the Apple Software and deselecting the checkbox. The Diagnostics & Usage setting is found in the Security & Privacy pane within System Preferences. Apple may use this information, as long as it is collected in a form that does not personally identify you, for the purposes described above. To enable Apple’s partners and third party developers to improve their software, hardware and services designed for use with Apple products, Apple may also provide any such partner or third party developer with a subset of diagnostic information that is relevant to that partner’s or developer’s software, hardware and/or services, as long as the diagnostic information is in a form that does not personally identify you.

Google

For Chrome browser and Chrome OS, you may choose to send usage statistics and crash reports to Google. You can manage this setting within the Chrome preferences page; for Chrome OS users, usage statistics and crash reports are enabled by default. This setting will apply to all users for a given installation of Chrome. The usage statistics and crash reports help us diagnose problems, help us understand how users interact with Chrome, and help us improve Chrome’s performance.Chrome tries to avoid sending information that identifies you personally. Crash reports, however, can contain system information at the time of a malfunction, and errors leading up to a malfunction. We may share with third parties certain aggregated, non-personal information we derive from our analysis, such as how frequently certain types of crashes occur.

Location

Microsoft

How does location history work and what does clearing location history do?
Some Windows apps and services that use location info also use location history info. When location is on, all location lookups for apps and services will be stored on the device for a limited time (24 hours in Windows 10), then deleted. Apps that have access to this info will have Uses location history under them in the Choose apps that can use your location list.
Select Clear to clear the location history on your device. The location history will also be cleared when you reboot your device. Note that clearing the location history only clears the history on the device—apps that have already accessed this information prior to it being cleared may have the information stored elsewhere. Refer to your apps’ privacy policies.

Can my device location be discovered if the Windows location service is turned off for my user account?
Yes, there are apps, services, and technologies that can discover your device location even when location is turned off for your user account. Microsoft services like Find My Device and Wi-Fi Sense will still have access to your device location if these services are turned on for your device Your mobile operator will have access to your device’s location if your device is cellular enabled or has a SIM card. Also, third party Classic Windows apps and services that run outside of your user account might still have access to your location. To learn more about user account security, visit the Service User Account page.

Apple

Location-Based ServicesTo provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. Where available, location-based services may use GPS, Bluetooth, and your IP Address, along with crowd-sourced Wi-Fi hotspot and cell tower locations, and other technologies to determine your devices’ approximate location. Unless you provide consent, this location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, your device may share its geographic location with application providers when you opt in to their location services.Some location-based services offered by Apple, such as the “Find My iPhone” feature, require your personal information for the feature to work. You may withdraw consent to Apple and its partners’ and licensees’ collection, use, transmission, processing and maintenance of location and account data at any time by not using the location-based features and turning off the Find My iPhone, Find My Friends, or Location Services settings (as applicable) on your device and computer.

Google

If you use Chrome’s location feature, which allows you to share your location with a web site, Chrome will send local network information to Google Location Services to get an estimated location.Learn more about Google Location Services and enabling / disabling location features within Google Chrome. The local network information may include (depending on the capabilities of your device) information about the wifi routers closest to you, cell IDs of the cell towers closest to you, the strength of your wifi or cell signal, and the IP address that is currently assigned to your device. We use the information to process the location request and to operate, support, and improve the overall quality of Chrome and Google Location Services. The collected information described above will be anonymized and aggregated before being used by Google to develop new features or products and services, or to improve the overall quality of any of Google’s other products and services.

If you are using a mobile version of Chrome, and you have granted your Android device or Chrome on iOS permission to access your location, then Chrome may use your location for Google location-enabled services, including for example enhancing omnibox searches.

Typed/inking/speech data

Microsoft

Personalization is a key benefit to Windows 10.Personalized speech, inking, and typing. This information helps Windows 10 correctly recognize and personalize your input, so you can have an experience that feels more natural and relevant, based on your contacts and calendar.Send typing and inking data. Your typed and handwritten words can add to help improve character recognition and provide you with a personalized dictionary and text completion suggestions.

What are speech, inking, and typing services?
When you interact with your Windows device by speaking, writing (handwriting), or typing, Microsoft collects speech, inking, and typing information—including information about your Calendar and People (also known as contacts)—that helps personalize your experience. This information improves your device’s ability to correctly recognize your input, such as your pronunciation and handwriting. You can turn the Speech, inking, and typing setting (which is called Getting to know you) on or off in Settings.

We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services. You can turn the Send Microsoft info about how I write setting on or off in Settings.

Can I clear the speech, inking, and typing data Microsoft has collected about me?Yes, you can clear your speech, inking, and typing data from your device and from the cloud.To clear data stored on your Windows device, go to Start , then select Settings > Privacy > Speech, inking, & typing, and then select Stop getting to know me. This will also stop speech, inking, and typing services from collecting data.
To clear data stored on the cloud, go to Start , then select Settings > Privacy > Speech, inking, & typing, and then select the Go to Bing and manage personal info for all your devices link.

Apple MacOS

C. Dictation. To the extent that your Apple-branded computer supports the dictation feature, you can choose to have either your Mac or Apple’s servers perform the speech recognition for you. If you use Enhanced Dictation, your Mac will convert the things you say into text without sending your dictated speech to Apple. If you use server-based Dictation, the things you say will be recorded and sent to Apple to convert what you say into text and your computer will also send Apple other information, such as your name and nickname; and the names, nicknames, and relationship with you (e.g., “my dad”) of your address book contacts (collectively, your “User Data”). All of this data is used to help Dictation better recognize what you say. It is not linked to other data that Apple may have from your use of other Apple services.By using server-based Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Dictation and Siri functionality in Apple products and services. You can turn off or change your preferences for Dictation at any time by going to the Dictation & Speech pane within System Preferences.

Apple iOS

(c) Siri and Dictation. If your iOS Device supports Siri and Dictation, these features may allow you to make requests, give commands and dictate text to your device using your voice. When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and to process your requests. Your device will also send Apple other information, such as your name and nickname; the names, nicknames, and relationship with you (e.g., “my dad”) of your address book contacts; song names in your collection, and HomeKit-enabled devices in your home (e.g., “living room lights”) (collectively, your “User Data”). All of this data is used to help Siri and Dictation understand you better and recognize what you say. It is not linked to other data that Apple may have from your use of other Apple services. By using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.

If you have Location Services turned on, the location of your iOS Device at the time you make a request to Siri may also be sent to Apple to help Siri improve the accuracy of its response to your location-based requests. You may disable the location-based functionality of Siri by going to the Location Services setting on your iOS Device and turning off the individual location setting for Siri.

Siri can allow you to interact with your iOS Device without needing to unlock it. If you have enabled a passcode on your iOS Device and would like to prevent Siri from being used from the lock screen, you can tap Settings, tap General, tap Passcode Lock and turn the Siri option to “off”.

You can also turn off Siri and Dictation altogether at any time. To do so, open Settings, tap General, tap Siri, and slide the Siri switch to “off”.

I did not find any specific information about typing or inking.

Google

I couldn’t find any specific information about inking, typing or speech in the Privacy or Service agreements. However a new Voice Typing feature from Google Apps does use cloud services. There are manuals on how to enable Google Now and voice activation, but nothing on how that exactly works and what (type, voice) data is sent to Google.

Advertising

Microsoft

You may opt out of receiving interest-based advertising from Microsoft by visiting our opt-out page.When you opt out, your selection will be stored in a cookie that is specific to the web browser you are using. The opt-out cookie has an expiration date of five years. If you delete the cookies on your device, you will need to opt out again.

You can also link your opt-out choice with your Microsoft account. It will then apply on any device where you use your Microsoft account, and will continue to apply until someone signs in with a different Microsoft account on that device. If you delete the cookies on your device, you will need to sign in again for the settings to apply.

For advertising that appears in apps on Windows, you may use the Microsoft account opt-out, or opt out of interest-based advertising by turning off the advertising ID in Windows Settings.

Because the data used for interest-based advertising is also used for other necessary purposes (including providing our services, analytics and fraud detection), opting out of interest-based advertising does not stop that data from being collected. Nor does it mean you will stop getting ads or see fewer ads. However, if you do opt out, the ads you receive will no longer be interest-based and may be less relevant to your interests.

Under “Windows>Advertising ID”

Windows generates a unique advertising ID for each user on a device. Your advertising ID can be used by app developers and advertising networks to provide more relevant advertising. You can turn off access to this identifier at any time in the device Settings. If you choose to turn it on again, a new identifier will be generated. For more information on our use of data for advertising, see the How We Use Data section of this statement.

Advertising ID. Advertising ID is a unique identifier, consisting of a random string of characters, which Windows generates for each user on a device. When turned on, apps can access the ID in order to deliver advertising that is relevant to you based on your app usage. You can turn it on or off at any time. If you turn it on again, a new identifier will be generated.

2. Your Content. Many of our Services allow you to store or share Your Content or receive material from others. We don’t claim ownership of Your Content. Your Content remains Your Content and you are responsible for it.

a. When you share Your Content with other people, you understand that they may be able to, on a worldwide basis, use, save, record, reproduce, transmit, display (and on HealthVault delete) Your Content without compensating you. If you do not want others to have that ability, do not use the Services to share Your Content. You represent and warrant that for the duration of these Terms, you have (and will have) all the rights necessary for Your Content that is uploaded, stored or shared on or through the Services and that the collection, use, and retention of Your Content will not violate any law or rights of others. Microsoft cannot be held responsible for Your Content or the material others upload, store or share using the Services.

b. To the extent necessary to provide the Services to you and others, to protect you and the Services, and to improve Microsoft products and services, you grant to Microsoft a worldwide and royalty-free intellectual property license to use Your Content, for example, to make copies of, retain, transmit, reformat, display, and distribute via communication tools Your Content on the Services. If you publish Your Content in areas of the Service where it is available broadly online without restrictions, Your Content may appear in demonstrations or materials that promote the Service. Controls for how Microsoft personalizes advertising are available on the Security & privacy page of the Microsoft account management website. We do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target advertising to you. Our advertising policies are covered in detail in the Privacy Statements.

Apple MacOS

Apple iOS

(g) Interest-Based Advertising from iAd.Apple may provide mobile, interest-based advertising to you. If you do not want to receive relevant ads on your iOS Device, you can opt out by going to the Limit Ad Tracking setting on your iOS Device. If you opt out, you will continue to receive the same number of mobile ads, but they may be less relevant because they will not be based on your interests. You may still see ads related to the content on a web page or in an application or based on other non-personal information.

Google

We use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services. One of the products we use to do this on our own services is Google Analytics. For example, by saving your language preferences, we’ll be able to have our services appear in the language you prefer. When showing you tailored ads, we will not associate an identifier from cookies or similar technologies with sensitive categories, such as those based on race, religion, sexual orientation or health.Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection.

]]>https://dirteam.com/dave/2015/09/14/in-light-of-windows-10-comparing-service-and-privacy-agreements/feed/0I’ll be speaking at GWAVACon 2015 and the UC Dayhttps://dirteam.com/dave/2015/09/14/ill-be-speaking-at-gwavacon-2015-and-the-uc-day/
https://dirteam.com/dave/2015/09/14/ill-be-speaking-at-gwavacon-2015-and-the-uc-day/#respondMon, 14 Sep 2015 09:17:43 +0000http://dirteam.com/dave/?p=881I’m happy to report that I will be speaking in two upcoming events: the two day event GWAVACon 2015 in Berlin (Germany) on the 22nd and 23rd of September and the one-day Unified Communications Day event in Birmingham (UK) on the 28th September. On GWAVACon my sessions will be the English versions of: What’s new in Exchange 2016 Exchange Architecture and Sizing Exchange Server Migrations & Updates For a full agenda, click here. On the UC Day my session will be: Tooling your Exchange For

]]>I’m happy to report that I will be speaking in two upcoming events: the two day event GWAVACon 2015 in Berlin (Germany) on the 22nd and 23rd of September and the one-day Unified Communications Day event in Birmingham (UK) on the 28th September.

]]>https://dirteam.com/dave/2015/09/14/ill-be-speaking-at-gwavacon-2015-and-the-uc-day/feed/0Test it yourselves: Exchange Server 2016 Preview is now available!https://dirteam.com/dave/2015/07/22/test-it-yourselves-exchange-server-2016-preview-is-now-available/
https://dirteam.com/dave/2015/07/22/test-it-yourselves-exchange-server-2016-preview-is-now-available/#commentsWed, 22 Jul 2015 17:57:27 +0000http://dirteam.com/dave/?p=824Today the Microsoft Exchange Product Team released the public Preview of Exchange Server 2016! See the announcement on the EHLO blog. Now everybody can install, investigate and test the latest iteration of Exchange Server, which is part of the Wave 16 of all Office applications (such as Office 2016, Skype for Business, SharePoint 2016 etc.). Some of these features are already present in Office 365, others will be added in time. As this is a Preview release, don’t install this in a

Now everybody can install, investigate and test the latest iteration of Exchange Server, which is part of the Wave 16 of all Office applications (such as Office 2016, Skype for Business, SharePoint 2016 etc.). Some of these features are already present in Office 365, others will be added in time.

As this is a Preview release, don’t install this in a production environment (even though builds are being tested by TAP (Technology Adoption Program, see here for an explanation) customers in production environments, but these customers get specific support from Microsoft you will probably not. If you do, you might encounter unsolvable issues. So, be sure to fire up a lab environment and test this build in there.The requirements to install this Preview are:

Note that this is a lower requirement as was announced during Ignite 2015 as well, during that event Windows Server 2012 R2 and Windows 10 (or Windows Server 2016) where the minimum. But this was before the release of Windows Server 2016 was delayed to early Calendar Year 2016.

For OWA Modern Attachments you will require Office Web App Server 2016
Storage of attachments can be performed on SharePoint Server 2016 or Office 365’s OneDrive for Business. At the time of writing no information was available about a Technical Preview/Beta release for the Office Web App Server 2016.

Note that these requirements might change at the General Availability of Exchange Server 2016. They already have changed from what was announced during Ignite in Ross Smiths IV session (with a clear disclaimer that this might change).

If you look at the link, you’ll see that the version part of the URL has (v=exchg.160) in it. I expect that corresponding articles from earlier versions of Exchange only differ in the version number and not article ID. But don’t assume.

For more information about Exchange Server 2016, be sure to check out the sessions from Ignite 2015:

]]>https://dirteam.com/dave/2015/07/22/test-it-yourselves-exchange-server-2016-preview-is-now-available/feed/3Cheat Sheet: Setting Exchange Mailbox User Permissions via PowerShellhttps://dirteam.com/dave/2015/07/13/cheat-sheet-setting-exchange-mailbox-user-permissions-via-powershell/
https://dirteam.com/dave/2015/07/13/cheat-sheet-setting-exchange-mailbox-user-permissions-via-powershell/#respondMon, 13 Jul 2015 14:24:19 +0000http://dirteam.com/dave/?p=817One of the things I get asked about quite a lot, is how you can set specific permissions in Exchange Server and Exchange Online. Most cases the Management Console (in 2010) or the Exchange Admin Center (EAC, Exchange 2013 & 2016 and Online) provide most basic permissions like Full Access, Send As and Send On Behalf. However, sometimes an admin has to set Send on Behalf permissions on a Shared Mailbox or disable AutoMapping, those options are not available via

]]>One of the things I get asked about quite a lot, is how you can set specific permissions in Exchange Server and Exchange Online. Most cases the Management Console (in 2010) or the Exchange Admin Center (EAC, Exchange 2013 & 2016 and Online) provide most basic permissions like Full Access, Send As and Send On Behalf. However, sometimes an admin has to set Send on Behalf permissions on a Shared Mailbox or disable AutoMapping, those options are not available via EAC. Just as setting specific Folder Permissions within a mailbox.

The solution is to use the Exchange Management Shell, or PowerShell. However, every type of permission has a different cmdlet. If you do not set these permissions on a regular basis, you probably have to look up how to perform these actions. Below are the cmdlets with a specific example, each with a link to the TechNet article explaining in more detail their function (provided you have the correct permissions in order to use them):

Example Full Access:

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on and <user> the account that will receive these permissions. In this case the AccessRights FullAccess was applied, but others are available. Also in this case Inheritance was set, so these permissions permiate throught the whole mailbox. Also, Automapping (the automatic addition of mailboxes the user has FullAccess to, via AutoDiscover) can be set to False, disabling this feature. This feature is only available via PowerShell, not via EAC unfortunately.

Example Folder Permission:

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on, <Folder> the name of the specific folder and <user> the account that will receive these permissions. In this case the AccessRight Owner was applied, but others are available. For Calendar folders there are two extra permissions listed, in order to configure the visible calendar information when planning a meeting or viewing one others Calendar.

Note that the Well-Known-folders (like Inbox, Calendar, Sent Items etc.) will change with regional settings set by the user (via OWA) or by language settings of Outlook when first connecting to their Mailbox. This might pose a challenge if you want to automate specific settings on those Well-Known folders. Luckily the FolderType is a constant and that value will tell you what kind of folder it is. Custom made folders (a second calendar for instance) have the folder type of “User Created”.

Use the following PowerShell one-liner in order to find the specific name of the Well-Known Calendar folder:

Example SendAs (on-premises only):

Where <Mailbox> is the identity of the mailbox (or Distribution Group) you wish to apply permissions on and <user> the account that will receive these permissions. In this case the AccessRights SendAs are set, although in some cases ReceiveAs might be required. Permissions to send mail as another user is actually an Active Directory permission, so this cmdlet will only work on On-Premises environments.

Example Send On Behalf:

Where <Mailbox> is the identity of the mailbox you wish to apply permissions on and <user> the account that will receive these permissions. As I’m writing this, you cannot set these permissions via the EAC on non UserMailbox type mailboxes (i.e. Shared Mailboxes), so PowerShell is your only way.

Please note that these permissions with the example syntax will overwrite previously set permissions. If you only require additions, use the @{add=”user1″,”user2″} syntax as the <user> value. In this case user1 and user2 are added Send on Behalf permissions and already present user permissions are retained.

Changing the Sent Item behavior:

In Exchange 2010 since Service Pack 3 you can change the Sent Item behavior with:

Where <Mailbox> is the identity of the mailbox that other users have SendAs or Send on Behalf permissions on. Use parameter SendAsItemsCopiedTo for Send As permissions and the parameter SendOnBehalfOfItemsCopiedTo for any Send on Behalf permissions. <Option> defines the specific behavior you require (just the mailbox specified with the Identity or both mailbox and the actual sender).

In Exchange 2013 since CU9 and in Exchange Online (if your tenant is enabled, at the time of writing it’s possible some are not) you can change the Sent Item behavior with:

Where <Mailbox> is the identity of the (Shared) mailbox that other users have SendAs or Send on Behalf permissions on, use MEssageCopyForSentAsEnabled and MessageCopyForSendOnBehalfEnabled respectively; i.e. you won’t change the behavior for users who have Sent As permission when setting MessageCopyForSendOnBehalfEnabled to $True and vice versa. Setting the value to $False you can disable the feature again.

Removing permissions

Removing permissions would be performed by the Remove-* equivalent cmdlet, with the exception of the Send On Behalf permission. Those permissions can be completely cleared when using the User value of $null.

Now you have a little cheat sheet for setting mailbox permissions in Exchange via PowerShell!

]]>https://dirteam.com/dave/2015/07/13/cheat-sheet-setting-exchange-mailbox-user-permissions-via-powershell/feed/0Yay! Renewed as an Exchange MVPhttps://dirteam.com/dave/2015/07/01/yay-renewed-as-an-exchange-mvp/
https://dirteam.com/dave/2015/07/01/yay-renewed-as-an-exchange-mvp/#respondWed, 01 Jul 2015 14:23:28 +0000http://dirteam.com/dave/?p=808Today was a nerve racking day (a lot of F5/F9 to refresh my MVP profile page and to see if I got that one mail in Outlook), but eventually I received some good news: Dear Dave Stork, Congratulations! We are pleased to present you with the 2015 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Exchange Server technical communities

]]>Today was a nerve racking day (a lot of F5/F9 to refresh my MVP profile page and to see if I got that one mail in Outlook), but eventually I received some good news:

Dear Dave Stork,

Congratulations! We are pleased to present you with the 2015 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Exchange Server technical communities during the past year.

Yes, I am presented with another MVP (Most Valuable Professional) award! I am very happy and grateful to receive this acknowledgement! I hope to do a lot of exciting stuff the upcoming year!

Obviously also congratulations to all new and renewed MVPs!

For those who don’t know: The MVP award is presented to individuals who made outstanding contributions to technical communities in the last year. As such, after each year you will either be re-awarded or not, depending your contributions. Award rounds are awarded each first day of January, April, July and October.

]]>https://dirteam.com/dave/2015/07/01/yay-renewed-as-an-exchange-mvp/feed/0Checking security protocols and ciphers on your Exchange servershttps://dirteam.com/dave/2015/06/07/checking-security-protocols-and-ciphers-on-your-exchange-servers/
https://dirteam.com/dave/2015/06/07/checking-security-protocols-and-ciphers-on-your-exchange-servers/#commentsSun, 07 Jun 2015 18:22:46 +0000http://dirteam.com/dave/?p=792Microsoft states that Exchange 2010 and 2013 are secure out of the box. With this they mean that every traffic coming in and out of Exchange is one way or another encrypted. Whether this is web traffic or specific for SMTP. Even IMAP and POP are enabled with mandatory encryption (although the services are disabled by default). However the past few months we’ve had reports that specific encryption protocols and ciphers (algorithms used for encryption and decryption) used aren’t considered safe

]]>Microsoft states that Exchange 2010 and 2013 are secure out of the box. With this they mean that every traffic coming in and out of Exchange is one way or another encrypted. Whether this is web traffic or specific for SMTP. Even IMAP and POP are enabled with mandatory encryption (although the services are disabled by default).

However the past few months we’ve had reports that specific encryption protocols and ciphers (algorithms used for encryption and decryption) used aren’t considered safe due to bug or progress in the field of decryption (by brute force). Remember FREAK, Heartbleed, POODLE, Logjam and in somewhat related form the recent IIS exploit which could BSOD an IIS server etc.. This is why it is very prudent to verify your Exchange servers whether they use safe protocols and ciphers.

So, how can you check your servers? There are websites that can check your webserver like those from Qualys SSL Labs or DigiCert. But these only check HTTP traffic and only of published servers. If you have a reverse proxy (TMG, WAP or other) or a Load Balancer/Application Delivery Controller, you will only test those endpoints. The actual Exchange servers and protocols like SMTP aren’t checked.

Luckily there are some free available online tools that can do this kind of testing as well. Running on Windows we have SSLScan and Win32 OpenSSL.

Running SSLScan is easy. Install it on a Windows server inside your network and use:

sslscan webmail.contoso.com

Or if you do not want to see protocols and ciphers that fail, use

sslscan --no-failed webmail.contoso.com

If you have multiple namespaces (for instance per Exchange Protocol such as AutoDiscover, Exchange Web Services etc..) or multiple virtual directories for a specific protocol (OWA or Exchange Control Panel). I would check every internal and external URL separately, even thought the protocols and cipher configuration is used serverwide.

The section “Supported Server Chiper(s)” shows all ciphers and protocols that are usable. The section “Preferred Server Cipher(s)” shows the first protocol and cipher that will be used in the negotiation. If the client supports this protocol/cipher it will be used, otherwise during negotiation other ciphers (less strong) will be tried.

For separate Exchange servers you will have to use the FQDN. Luckily this will not result in a certificate mismatch error and the tool will still check the server. You will have to check each server separately. And do not forget to check any proxy/firewall/load balancer, basically anything that does something with the SSL session, as well. Depending on the configuration it will decrypt incoming traffic and encrypt it again towards the Exchange servers (SSL bridging) or not (SSL Offloading). Either way, the whole chain from the initial client entry point up to the Exchange Servers needs to be checked.

Why even Exchange servers, even if the secure sessions from clients will not directly connect to Exchange? I like to have a consistent security policy through the whole chain, furthermore it’s possible for some protocols the route from client to Exchange is different (i.e. internal applications communicating with Exchange servers directly). Best to be thorough IMHO.

All client-server protocols in Exchange use the Secure Channel (or schannel) as a security support provider, this is at the Windows OS level and is not Exchange specific. Exchange uses IIS for HTTPS, and that in turn uses schannel. For SMTP, IMAP and POP Exchange now has it’s own protocols, but those also use the schannel configuration. This means that your supported protocols and ciphers list from HTTP traffic is also used by SMTP, IMAP and POP.

However, those protocols could have another certificate bound to it or as stated earlier, have a different client-server route. So, it’s best to check them out as well, from a internet published FQDNs but also per server FQDNs.

This is also possible with SSLSCAN, however where HTTPS traffic is implicit (the secure connection is always setup without explicit commands sent by client), SMTP, IMAP and POP can be explicit and thus require the use of STARTTLS commands.

SMTP on port 25 but especially the client submission SMTP on port 587 require STARTTLS before a secure connection is set. You can do this by adding the -STARTTLS parameter in SSLSCAN and adding the port to the server address.

In my lab case this resulted in this output show in Figure 2. Note that the protocol and ciphers are identical as those from HTTPS. However, looking at the Signature Algorithm and Subject Alternative Name it becomes clear this is another certificate, using SHA1 and it’s self-signed.

Note: if you explicitly want to see which protocols and ciphers are tested and not supported by your server, ommit the –no-failed parameter. I’ve added this parameter in these examples in order to keep the screenshots more readable. If omitted, you will see it also tests SSLv2 and SSLv3, but only TLS1 in general (and not explicitly TLS11 and TLS12).

Testing IMAP/POP is obviously only required when the services are enabled and in use. Unfortunately SSLSCAN cannot test IMAP or POP. Luckily OpenSSL can, unfortunatly it’s syntax is a bit more complex (SSLSCAN actually uses OpenSSL bit, and is sort of a frontend for it).

Checking Secure IMAP (explicit) on port 143:

openssl s_client -connect webmail.contoso.com:143 -starttls imap

Checking Secure IMAP (implicit) on port 993:

openssl s_client -connect webmail.contoso.com:993

Checking Secure POP (explicit) on port 110:

openssl s_client -connect webmail.contoso.com:110 -starttls pop3

Checking Secure POP (implicit) on port 995:

openssl s_client -connect webmail.contoso.com:995

Note that even thought the recommendation for both IMAP and POP is to use the explicit form, both types are active on you Exchange servers when you enable the corresponding services.

The output for explicit Secure IMAP is show in Figure 3.

Figure 3. OpenSSL output for Explicit STARTTLS IMAP on port 143

With the current syntax, you only see the protocol and cipher that is actually used, not an overview like SSLSCAN. But it is clear that IMAP is currently using TLS (and not SSLv3) and the preferred cipher as found with SSLSCAN.

You can also check explicitly whether SSL3, TLS10, TLS11 or TLS12 are availble by adding the parameter -ssl3, -tls1, -tls1_1 or -tls1_2 to the OpenSSL syntax.

Figure 4. Example of an GPO disabling SSLv3 and rearranging cipher order and ommiting unsafe ciphers.

If you encounter unsafe protocols and/or ciphers on your Exchange servers, there are several ways to mitigate this. You can use the IIS Crypto tool. As you might have more Exchange servers or other servers with IIS, you could consider using an GPO in order to distribute those settings via the SSL Cipher Suite order and/or regkeys disabling SCHANNEL protocols. See figure 4 for an example. The cipher order shown was derived from Qualys SSL Labs best practices dated december 2014 and was used in all examples in this post. They are probably out-dated (this is pre-LogJam).

Do consider that older clients that will not be updated (Windows XP, Android devices etc..) could be excluded from connecting to Exchange if you set the level of security to high for those older systems. Take this into consideration when upping your security levels.

]]>https://dirteam.com/dave/2015/06/07/checking-security-protocols-and-ciphers-on-your-exchange-servers/feed/2IIS Exploit can reboot your Windows Server; install patch KB3042553 ASAPhttps://dirteam.com/dave/2015/04/18/iis-exploit-can-reboot-your-windows-2008-server-r2-and-up-install-patch-kb3042553-asap/
https://dirteam.com/dave/2015/04/18/iis-exploit-can-reboot-your-windows-2008-server-r2-and-up-install-patch-kb3042553-asap/#respondSat, 18 Apr 2015 21:18:33 +0000http://dirteam.com/dave/?p=773This week Microsoft release a patch for Windows 7/Windows Server 2008 R2 and up that fixed a critical remote execution bug, see MS15-034 and CVE-2015-1635 for more info. Unfortunately the patch was reversed engineered and now an exploit is available. This was detected and described by ISC SANS. They added Denial of Service (DoS) as possible impact, next to Remote Code Execution. As it turns out, the DoS in question actually causes a Blue Screen of Death (BSoD, also known as bugcheck)

]]>This week Microsoft release a patch for Windows 7/Windows Server 2008 R2 and up that fixed a critical remote execution bug, see MS15-034 and CVE-2015-1635 for more info. Unfortunately the patch was reversed engineered and now an exploit is available. This was detected and described by ISC SANS. They added Denial of Service (DoS) as possible impact, next to Remote Code Execution.

As it turns out, the DoS in question actually causes a Blue Screen of Death (BSoD, also known as bugcheck) on affected servers. And disturbingly it’s very easy to do. It makes no difference if the server is using HTTP or HTTPS. To check whether your servers are affected you can use wget or cURL. An example is show below for both HTTP (from ISC SANS) and HTTPS:

If you are affected, you will see an “HTTP 416 The requested rance is not satisfiable” error:

The response “HTTP 416 The requested rance is not satisfiable” means the server is affected.

Do note that in this case iisstart.htm is used as a static file, but any other static file is valid so removing this file doesn’t help you much. For those who are worried AutoDiscover might be a target (as the request is most of the time https://autodiscover.contoso.com/AutoDiscover/AutoDiscover.xml), that URL requires authentication and that seems to prevent the issue:

Autodiscover requires authentication, which seems to block this specific issue.

Changing the range from 0-18446744073709551615 to 20-18446744073709551615 will reboot the server.

Disclaimer: Use at your own risk, be careful when you do this. Do not perform this on production servers and only in lab environments.

I haven’t been able to reproduce this on Exchange servers, but I did perform this on a server with IIS without SSL. Perhaps my cURL syntax isn’t completely correct in order to let it crash, but enough to check vulnerability. See this YouTube video demonstrating a server BSOD:

Unfortunately IIS filtering doesn’t help you here and having your servers behind a load balancer (or firewall) won’t help you either. I’m obviously thinking about Exchange that is frequently published via a load balancer and not a Reverse Proxy (with ISP). Multiple servers behind a load balancer are not a solution, an attacker can issue the command easily multiple times. So, if your load balancers redirects traffic to another server, that one can be affected as well. As most Exchange servers are multi-role and part of a Database Availability Group (DAG), you can see how this could affect more than just client access availability. Or if you have Exchange Edge Transport servers, that would impact you mailflow.

What can you do?

Best solution is to install Microsoft patch KB3042553 on (at least) all internet facing servers that are affected.

That can take a while if you have a lot of servers and downtime is expected.

Not possible to hide everything behind authentication, for instance the Exchange OWA Form Based Authentication logon screen requires no credentials to load. And it’s always possible somebody knows valid credentials they could use.

]]>https://dirteam.com/dave/2015/04/18/iis-exploit-can-reboot-your-windows-2008-server-r2-and-up-install-patch-kb3042553-asap/feed/0Azure Active Directory Synchronization: Object Matchinghttps://dirteam.com/dave/2015/04/15/azure-active-directory-synchronization-object-matching/
https://dirteam.com/dave/2015/04/15/azure-active-directory-synchronization-object-matching/#respondWed, 15 Apr 2015 19:39:33 +0000http://dirteam.com/dave/?p=750This post is the fifth in a series about Azure Active Directory Synchronization and will cover Object Matching. Other posts have covered and will cover: Introduction, Part 1 Introduction, Part 2 Filtering, Part 1 Filtering, Part 2 Alternate Logon ID Object Matching and Joining Object matching or joining is relevant if you have multiple Active Directory (AD) forests you want to use for Directory Synchronization to Azure Active Directory (Azure AD). Previously with DirSync, it wasn’t possible (or supported) to connect

Object Matching and Joining

Object matching or joining is relevant if you have multiple Active Directory (AD) forests you want to use for Directory Synchronization to Azure Active Directory (Azure AD). Previously with DirSync, it wasn’t possible (or supported) to connect more than one AD Forest. With AADSync multiple source AD forests are supported and it comes with some new considerations.

It’s important to know whether the objects from those forest are unique across every AD forest or whether there are in essence duplicate accounts, for instance if you have a resource forest.

If objects are unique across every connected forest, you can leave the defaults settings during the initial setup of AADSync. You can configure which attribute is used for matching objects from different AD Forests. When the values of those attributes are identical, AADSync will then join those objects and sync a combined object to Azure AD.

However, it is very possible that objects aren’t entirely identical and have different values on some attributes. Attributes that are not configured ($null) will be overwritten by objects that have a value. So, consider Object1 and Object2 and their attribute Department. The value from Object1 is $null (i.e. empty) and the value from Object2 is “Sales”. We match on the mail attribute which is identical, which means the objects will be joined before synchronizing to AD Azure. The joined objects attribute Department will have the value “Sales”. (unless there are other rules with Transformation configured, see previous Filtering posts explaining this)

But consider the following: ObjectA and ObjectB have attribute telephoneNumber with a different value, resp. 5551234 and 0201234. What will happen? This is dependent on how the Precedence value of the Synchronization Rules is set from each forest. Rules with a higher precedence are implemented later than lower valued rules. If the forest from ObjectA was added in AADSync first and the one from ObjectB was added later (because we consider the ObjectA forest our “main” forest), the synchronization rules from the first forest have a lower precedence value. This means that those values have precedence above values from the forest ObjectB. In this scenario the joined and synchronized object will have telephoneNumber value 5551234. See Figure 1 for a view of the ordering of Synchronization Rules when two AD forests are added (ForestA is marked black, ForestB is blue).

Figure 1. Example of the Precedence ordering of default Inbound Synchronization Rules when two forests are added in AADSync. The black bar corresponds with ForestA and the blue bar corresponds with ForestB. ForestA was added first during initial configuration and ForestB was added later. The latter one has per similar rule a higher precedence. (Connectors are redacted due to privacy)

Configuring Object Matching

Object matching is configured during the initial (first) configuration of AADSync.

Now we can finally configure Uniquely identify your Users. Choose Match Using and select the way you want to identify you users. In our example (see figure 2) we choose to match using the mail attribute. Press Next

Configure Optional Features. Press Next.

Now AADSync is ready to configure. Press Configure.

After a while the configuration is finished and you could start the Synchronization. In this case we will have to add another AD forest, so turn of Synchronization Now and press Finish.

Rerun the DirectorySyncTool and add additional AD Forests.

Figure 2. Uniquely identifying your users. In this screen the option matching using the mail attribute is selected. This means that when the mail attribute from objects of different AD forest is the same, the objects will be matched and joined so that only one object is synchronized to Azure AD.

Things to take into account

You can only configure Object Matching during the initial setup of AADSync and you cannot change this setting afterwards. This is because the Metaverse will be filled with objects and will not retroactively match objects. If you need a change in Object Matching, easiest way is to uninstall AADSync and remove any lingering related files, install again, configure Object Matching according to you required specification and then run Synchronization again (after all previous custom settings are set).

Also, when you configure AADsync during the initial configuration, it’s best not to add all forest at once. Just add the primary AD Forest, configure Object Matching and finish the initial wizard. Do not sync. Rerun the configuration wizard and add one AD forest at a time, in order of importance. If you add all forests immediately at initial configuration, AADSync will add the forest in a possible unexpected and unwanted order as stated earlier in this post.

For every AD forest Synchronization Rules are created with a specific precedence number. However, the order is not predictable when adding forests in bulk, which could mean the order in which the Synchronization Rules are triggered might not be the one you require. When two objects that have to be joined, both have different attribute values (obviously not the attribute used to match the object) the value that wins is dependent on the precedence of join rules as described in the previous section.

As stated in the previous posts about Filtering, if you require filtering of matched/joined objects, you will have to resort to Outbound Filtering. This is because joining is performed in the Metaverse right after Inbound Filtering. If Inbound filtering is not adequate in filtering unwanted objects, Outbound Filtering can limit objects before syncing it to Azure AD. See Filtering, Part 2 of this series for a more extensive explanation.

Object matching with the cloud

After objects are provisioned in Azure AD, in default situations the matching identifier between the on-premises AD object and the Azure AD object, will be the ObjectGUID. This will be converted to a ImmutableID, which is in this case the Base64 encoded ObjectGUID. Joe Palarchio has a great blog post explaining the concept.

You certainly don’t want to make an error with precedence rules and objects provisioned in O365 from the wrong forest. That will result in having cloud objects with an ImmutableID from the wrong forest. You would have fix how objects are joined in AADSync, however the objects will not match anymore. If you do have issues with non matching objects, check my previous blog post about how to fix most common DirSync mismatches.

Concluding

You can have multiple AD Forest with non-unique objects configured in AADSync and let them join depending on equal values on a configurable attribute. However, this can only be configured during the initial configuration of AADSync. Changes after AADSync is configured are not possible, you will have to perform a complete uninstall and re-install of AADSync.

While configuring, first configure matching requirements and add only the main AD forest. After configuration has finished, restart the wizard and add one AD forest at a time. This insures that the precedence of Synchronization Rules will be predictable.

In some cases only Outbound Filtering can be used to limit the (joined) objects synchronized to Azure AD.

Next to matching and joining objects from AD forest, there is also matching from objects in Azure AD. The ImmutableID is the common factor between the object in AD and in AzureAD. Errors with your AADSync configuration could lead to mismatches that require manual fixing.

]]>https://dirteam.com/dave/2015/04/15/azure-active-directory-synchronization-object-matching/feed/0Azure Active Directory Synchronization: Filtering, Part 2https://dirteam.com/dave/2015/04/10/azure-active-directory-synchronization-filtering-part-2/
https://dirteam.com/dave/2015/04/10/azure-active-directory-synchronization-filtering-part-2/#respondFri, 10 Apr 2015 06:57:12 +0000http://dirteam.com/dave/?p=705This post is the fourth in a series about Azure Active Directory Synchronization and will cover Filtering. Originally I’ve planned to make this one post, but in my opinion it became to large and complex thus again a part 2. Other posts have covered and will cover: Introduction, Part 1 Introduction, Part 2 Filtering, Part 1 Object Matching Alternate Logon ID In the previous post I discussed why and how to filter: Domain, Organizational Unit or Attribute based filtering. When to

]]>This post is the fourth in a series about Azure Active Directory Synchronization and will cover Filtering. Originally I’ve planned to make this one post, but in my opinion it became to large and complex thus again a part 2. Other posts have covered and will cover:

In the previous post I discussed why and how to filter: Domain, Organizational Unit or Attribute based filtering.

When to filter, Inbound or Outbound?

Now we have to decide when to filter: Inbound, Outbound or both. My best practice is to always use Inbound filtering when possible. This way you limit the amount of objects that are imported in the Connector Space and subsequent the Metaverse. As stated earlier, this can also prevent the need for a full-fledged SQL server. The easiest forms are Domain and OU filtering and have my preference, but further fine tuning with Attribute filtering might be required.

To be clear, Domain and OU filtering are always Inbound filtering. The choice for Inbound and Outbound Filtering is determined by the requirements of your deployment. In most cases Inbound filtering has a major preference. It filters out objects at the most earliest stage, just before they are flowing to the Metaverse.

Outbound filtering happens when objects are moved from the Metaverse to the Connector Space of your Azure Active Directory (Azure AD), just before synchronization to Azure AD. This means that a lot of objects could be handled by AADSync are in the Metaverse/Database, costing resources while they are not being used. This is why Outbound filtering should only be used if Inbound filtering is not an option with the objects that need filtering. Obviously you can use Inbound filtering (with a different scope) in combination with Outbound filtering.

As of now I’ve only implemented Outbound filtering once. The situation required the synchronization from two Active Directory (AD) Forests, with almost identical objects which required to be matched and combined (see a follow up post on this subject). These scenarios (multiple AD forests need to sync objects to Azure AD) are the most likely candidates to use Outbound filtering, as it is possibly you might require matching to occur first before filtering unwanted objects. And matching occurs in the Metaverse, when Inbound filtering already occurred.

Figure 1. The process of Outbound Filtering, when two objects are joined. See text for clarification. Unedited source: https://msdn.microsoft.com/en-us/library/azure/dn800989.aspx

See figure 1 above: One forest was the “real” production forest and the other a hosted Lync resource forest. We used inbound OU filtering (See Inbound Synchronisation Rule, ISR in figure 1) with the production forest, but the hoster created (via a third party sync tool) all similar objects in one single OU which made this kind of filtering from that forest useless. Domain filtering also wasn’t an option and attribute filtering also wasn’t possible. This meant we probably would get a lot of objects in the Metaverse that shouldn’t be synced to Azure AD, hence no ISR in that specific Attribute flow.

We decided to filter outbound (See Outbound Synchronisation Rule, OSR in figure 1) *after* (almost) identical objects where matched and combined in the Metaverse, using an attribute (AttributeA in figure 1) from our production forest. If the production object had the correct attribute value (AttributeA = True in figure 1) it would be synced to Azure AD, whether it was matched with its resource object counterpart or not.

If the resource forest had an object that didn’t match with anything from the production forest, it would not get the correct attribute value and would never be synced to Azure AD. This way we assured that no lone object existing only in the resource forest would be synced and only objects from the production forest would be synced to Azure AD whether they are joined or not.

Example of Outbound Filtering

In this example we will configure outbound filtering by customizing an existing rule. We will filter objects that do not have ExtensionAttribute1 with value O365, meaning that (joined) objects that have this attribute with that value will be synced to Azure AD.

Open the Synchronization Rules Editor (in Start Menu).

In the left windows you see Inbound and beneath it Outbound. Select Outbound.

Find and select the rule named “Out to AAD – User Join” and click Edit.

Click on the Scoping Filter and click Add Clause.

In the clause for Attribute choose ExtensionAttribute1, as Operator select EQUAL and in the Value field enter O365. See Figure 2.

Click Save.

If you are confident that the rule is correct and everything else checks out, start a Full Synchronization.

Figure 2. In the clause for Attribute choose ExtensionAttribute1, as Operator select EQUAL and in the Value field enter O365.

Changes to filtering

If filtering has changed after previous synchronization runs and an object no longer falls within the selection this will result in a deletion in Azure AD. This is comparable when you delete an on-premises object which is subsequently deleted within Azure AD, or to be more precise moved to the Deleted Users recycle bin. When the deleted object falls within the filtering selection again, it will appear again as an active object within Azure AD. This is valid for any kind of filtering, Domain, OU, Attribute and Inbound or Outbound.

New or customized Filtering Rules

You can create new rules, but sometimes an existing rule already has (mostly) the correct scope. It is supported to customize existing rules (created during install and initial configuration). Be careful not to have overlapping scopes, as that could result in unexpected results and break normal operations, also depending on the Precedence of the rules.

However, new rules are retained when in-place upgrading AADSync, whereas customized existing rules might be reset to their default configuration after an upgrade. This is why you always have to check all rules before starting your synchronization again, especially Outbound Filtering rules.

Concluding

Filtering objects is essential in order to sync only the objects to Azure AD that are required. It can also limit your required resources. There are several methods that can be used, each with their own pros and cons: Domain, Organizational Unit or Attribute. Each a more specific way to filter objects. The preference is to filter early, meaning Inbound, and to keep filtering simple, meaning a greater focus towards Domain and OU filtering. However, there are situations, especially when more AD forests are involved, that Outbound and Attribute filtering are the only ways to keep you Azure AD lean and mean.

Changes in filtering can result in objects being deleted in Azure AD, so after changing filtering rules always check whether it had the expected result. If not, reverting the rule and start a synchronization again, should return the objects in an active state in Azure AD.

You can create new or customize existing (default) rules, but be sure to check whether they have reverted to their default configuration when upgrading AADSync.

In any case, a sound understanding about how AADSync works is required to know how and where to filter what.

]]>https://dirteam.com/dave/2015/04/10/azure-active-directory-synchronization-filtering-part-2/feed/0Azure Active Directory Synchronization: Filtering, Part 1https://dirteam.com/dave/2015/04/06/azure-active-directory-synchronization-filtering-part-1/
https://dirteam.com/dave/2015/04/06/azure-active-directory-synchronization-filtering-part-1/#commentsMon, 06 Apr 2015 19:23:18 +0000http://dirteam.com/dave/?p=689This post is the third in a series about Azure Active Directory Synchronization and will cover Filtering. Originally I’ve planned to make this one post, but in my opinion it became too large and complex thus again a part 2. Other posts have covered and will cover: Introduction, Part 1 Introduction, Part 2 Filtering, Part 2 Object Matching Alternate Logon ID Why would you want to filter? In most cases the current Active Directory (AD) implementation contains a lot

]]>This post is the third in a series about Azure Active Directory Synchronization and will cover Filtering. Originally I’ve planned to make this one post, but in my opinion it became too large and complex thus again a part 2. Other posts have covered and will cover:

Why would you want to filter?

In most cases the current Active Directory (AD) implementation contains a lot more objects (user accounts, contacts and groups) than are required within Azure Active Directory (Azure AD). For instance, service accounts that are only required on-premises may have no purpose to be synchronized for Office 365. Luckily, you can filter objects, so that only the ones you require online are synchronized. Filtering makes synchronization more secure (no forgotten accounts in the services, hence less attack Surface), in certain ways less complex and it can speed up synchronization.

Filtering can also help you to limit the amount of objects, which in turn can help you keep your AADSync database small enough preventing the need for a full SQL implementation (default install is using SQL Express LocalDB and has a ~50.000 objects limit, with SQL Express it’s about 100.000). Additionally, you may not bump into the artificial synchronization ceilings incorporated by Microsoft (these require a support call to be lifted) and Azure Active Directory Free might suit your needs, since it’s limited to 500.000 objects. (this requires licenses to be lifted)

What can you filter on?

You can use all, two or just one field to filter. Which field(s) you choose, is in part dependent on how your Active Directory is or Active Directories are structured and what objects need to be synchronized to Azure AD/Office 365.

Domain

So how do filter on domain?

Start the Synchronization Service Manager (or miisclient in DirSync).

Go to the Connectors tab and select the Connector for the AD you want to filter.

Right click and select Properties.

Go to the Configure Directory Partitions section.

In some cases you will need to refresh, if not all partitions are visible. You will have to enter the AD sync account credentials.

Now you can select the specific partition (your fully qualified domain names in Distinguished Name format) you want to synchronize or unselect the ones you don’t want to synchronize.

In the example screenshot above, we are seeing several partitions. For our purposes I’ve created the lab03.com domain with child.lab03.com domain. Currently both domains are selected and will be synchronized to Azure AD. If you have multiple AD’s connected in AADSync, you will need to perform this with every AD connector for each specific Active Directory forest.

This way you can easily filter out complete specific domains of forests connected in the Sync tool. You can still filter the selected domains further with OU filtering or Attribute filtering.

Organization Unit

Most of the time , the service account has access to your complete Active Directory (AD). But there are, undoubtedly, Organizational Units (OU) that contain objects that don’t require a sync, such as the Exchange Security Groups OU. Luckily, you can select specific OUs. A lot of ADs already have an OU structure that separates objects that are eligible for synchronization and those that don’t; service/admin accounts or specific security groups, for instance.

How do you filter on OU?

Start the Synchronization Service Manager (or miisclient in DirSync).

Go to the Connectors tab and select the Connector for the AD you want to filter.

Right click and select Properties.

Go to the Configure Directory Partitions section.

On the section below there is an button called Containers…:

Press the Containers… button and a selection screen appears:

Now you can select the OUs that need to be synchronized or unselect those that don’t. Do note that you can have Sub OUs, that are automatically selected if you select the parent OU. In the example the root OU AADSync is selected and the Asgard Sub OU under root OU DirSync.

Depending on your OU design and sync requirements, the selection proces can be very tedious. I haven’t found a nice way to make bulk changes (yet?). However:

The Advanced button on the left bottom side, is a representation in text with the container in Distinguished Name (DN) format:

The Advanced Container selection could speed things up if you have a list with OUs in DN format.

When you are ready with selecting OUs, be sure to click all OK buttons to save the filter configuration.

If you still require further filtering of objects because OUs contain objects not to be synchronized, you will have to add Attribute filtering.

Attributes

Even with Domain filtering and OU filtering it is possible that some not to be synced objects are in a OU you need to synchronize; template users, for instance. Or it is impractical to change the OU design just for the purpose of syncing to Azure AD.

In those cases you might want to use Attribute filtering. Each object in Active Directory (AD) has attributes. Some are filled with values and some aren’t, depending on the situation. For instance, a mailbox enabled user account has attributes with values (for instance, database, delegates etc.) that non-mailbox enabled user accounts don’t.

You can filter on Attributes with the Synchronization Rules Editor, another tool installed with AADSync (and I will limit myself to AADSync).

As seen at the starting screen (see example above), you can edit existing rules or add a new rule. For documentation purposes it’s nice to know you can export a newly created or an edited rule (no importing from the tool though). And obviously you can also delete rules.

Unfortunately the documentation isn’t that extensive regarding all specific settings, so I’ll do my best to explain most of them, at least to get a general feel how these rules work.

In step 1 we determine the Name of the rule, the source (Connected System) such as the Active Directory forest. The Connected System Object Type is the type of AD object. Most common are user, contact and group. However, other specific types are possible (inetOrgPerson, for instance). However, I can’t think of a case that other types will be required in combination with AAD. The Link Type is the action performed by the rule; Join, StickyJoin or Provisioned are possible. With Join, objects will be merged or updated, with Provisioned the object will be created. Do note that this option will be superseded by any Join rule configured in a later step (3). Finally the precedence of the rule is specified, which regulates the order in which the rules are applied on the whole system.

In step 2 the scope of the selection is further specified, in this example when extensionAttribute15 equals the value NoSync, that object is handled by this rule. This is the core of Attribute filtering.

Step 3 is used to define Join rules for situations that require to join two or more objects in the Metaverse. This requires two attribute values from the source and target object to be equal.

And finally in Step 4 we determine or change the value of an attribute. The flow type is either Constant, Direct or an Expression. The first sets an attribute to a specified value (filled in Source), Direct takes the attribute value from the source object and Expression is the most flexible way to define a value, using Visual Basic for Applications (VBA). In this case the attribute cloudFiltered is set to True, which means another (Outbound) rule will filter this object. A Function Reference list with an explanation can be found here, while a Provisioning Expressions explanation can be found here.

Another examples of AADSync filtering with Synchronization Rules can found here and here.

The most important selection however, is the rule type: Inbound or Outbound. Domain and Organization Unit filtering is always inbound, however Attribute filtering is possible both inbound and outbound. I will continue that subject in the upcoming fourth post in this series.

Concluding

Filtering allows you to limit the amount of objects synced to Azure AD. There are three supported ways to filter your AD objects; based on domain, Organization Unit or Attributes. Each method is more granular filter, but also more complex.

My preference is to begin with Domain/OU filtering and if that is not enough and you are unable to change your on-premises AD to fit you synchronization needs, then I would consider Attribute filtering. Do note that this post focuses on Inbound filtering, in the next post I will discuss Outbound filtering, which is only possible with Attribute Filtering.

]]>https://dirteam.com/dave/2015/04/06/azure-active-directory-synchronization-filtering-part-1/feed/3Azure Active Directory Synchronization: An Introduction, Part 2https://dirteam.com/dave/2015/03/31/azure-active-directory-synchronization-an-introduction-part-2/
https://dirteam.com/dave/2015/03/31/azure-active-directory-synchronization-an-introduction-part-2/#respondTue, 31 Mar 2015 09:47:50 +0000http://dirteam.com/dave/?p=649This post is the second in a series about Azure Active Directory Synchronization, covering part 2 of an introduction. Previous and follow up posts have covered and will cover: Introduction, Part 1 Filtering, Part 1 Filtering, Part 2 Object Matching Alternate Logon ID As most organizations will not require FIM, I will focus my attention mostly on AADSync. Although DirSync is (unless features from AADSync are required) the first choice, it’s deprecated, but more importantly: most concepts are still unchanged.

As most organizations will not require FIM, I will focus my attention mostly on AADSync. Although DirSync is (unless features from AADSync are required) the first choice, it’s deprecated, but more importantly: most concepts are still unchanged.

In order to be able to understand subjects like Filtering, Object Matching etc. discussed in follow up posts, it is necessary to get a grasp of the terminology and concepts used within AADSync. I’ll try to keep the terminology as concise as possible, as this post is targeted at those who want a quick introduction. For a more detailed explanation you can read the Technical Concepts and Understanding the Default Configuration.

Graphic representation of the logic underneath AADSync. See text for clarification. Source: https://msdn.microsoft.com/en-us/library/azure/dn800989.aspx

Connectors and Connector Space

Connectors (or Management Agents in DirSync) are the items that connect with Active Directory (AD), whether it is an on-premises Active Directory or Azure Active Directory (AAD) used by services like Office 365. They regulate the import or export of objects or changes on objects from the specific environment they are connected to. They can only be connected to one environment at a time; DirSync could only have two connectors; one to your on-premises AD and one to AAD. AADSync can have multiple connectors to multiple AD Forests, but only one connector to an AAD.

The information obtained by a connector is stored in the Connector Space, a cached set of the data imported by the specific Connector. It is possible to filter what objects are imported, more on this later.

Attribute flow and Metaverse

Objects and their attributes from all connectors will be transported to the Metaverse and from the Metaverse they will be synchronized with AAD; This process is called the attribute flow. The Metaverse is a combination of all objects and attributes from all connectors; depending on the configuration, objects from all connectors are unique or can be joined to form one object (more on this in another post).

Updating and Provisioning

Any object within the Metaverse that has attributes (relevant to AAD) with values that have changed, will be updated with the next export to AAD. If an object previously did not exist in AAD, it will be created by AADSync i.e. provisioned. If an object is deleted in AD, it will be deleted in AAD (to be found in Deleted Users for 30 days).

Synchonization Editor & Rules

For a closer look of the inner workings, starting the Synchronization Rules Editor is a good way. In DirSync you had to find and start miisclient.exe. Luckily with AADSync, it’s now a predefined shortcut in your Start Menu.

The AADSync Sync Rule Editor with a default set of rules.

After starting the Synchronization Rules Editor, you will find a whole bunch of separate rules. These are essentially the backbone of AADSync and regulate what and how objects and their attributes are imported, matched, transformed and exported.

The preconfigured rules are determined by the installer on the AADSync configuration options selected and the status of the Active Directory Schema of any on-premises AD Forest during installation. For instance; if you have Exchange on-premises and enabled the Hybrid Exchange option during install, you will have a different set of rules, because different sets of information need to be handled in specific ways. If required, you can add or customize rules. See a follow up post regarding this.

Inbound & Outbound rules

You have inbound and outbound rules. Inbound rules are applied when importing information from a specific source, i.e. your on-premises Active Directory into the Metaverse. Outbound rules are applied when exporting information from the Metaverse to a specific source, mainly Azure Active Directory. This will be explained in more detail in an upcoming Filtering post.

Each rule has specific configuration sections that dictate when and how an object is treated by the rule. These sections are Description, Scoping, Join and Transformation. Each rule also has a Precedence value, which influences the order in which rules are handled.

Description

Example of Description

The Description is more than a Name and Description, it is also the page that determines which source connector is used, the Object type (user, contact or group), Precedence and Link Type. Linking will be discussed below.

The precedence of rules regulates which rule is implemented before other rules. Rules with a lower precedence number will win over similar rules with a higher precedence number.

Scoping

Example of Scoping

With Scoping you can define specific requirements for objects that will be handled by this rule. If the filter returns true, then the object will be handled by this rule and actions in Join and/or Transformations are performed.

For instance: a filter can check the attribute MailNickname with Operator ISNOTNULL, which requires the object to be at least mail enabled. You can determine the Attribute, the Operator (logical AND/OR/EQUAL etc.) and a Value if required.

Join

Example of Join Rules

These are the rules that determine how objects from the connector space are related to the objects in the Metaverse. If the rules match for an object, than both objects are joined in the Metaverse. If no Join rules match, then the Link Type (in Description) action will be administered for instance Provision (i.e. create object). More on this in the upcoming Object Matching post.

Transformation

Example of Transformations

At the Transformation section, you can alter the value of specific attributes after filtering and joining. You can let the value from the source object persist, determine a constant value independent of the source value or you can use Expressions (in Visual Basic for Applications) for complex actions.

Concluding

An understanding of synchronization concepts are required in order to successfully customize the available configuration options such as filtering, discussed in later posts. It is also very helpful in designing you synchronization requirements and troubleshooting any issues. A more detailed explanation can be found in the Technical Concepts and Understanding the Default Configuration pages.